AppDefend

Oracle E-Business Suite

Enterprise Application Protection

October 2023

mission critical applications …

… mission critical security
 About Integrigy

ERP Applications Databases

Oracle E-Business Suite Oracle, Microsoft SQL Server,
and PeopleSoft DB2, Sybase, MySQL, NoSQL

Products Services

Verify Security Assessments

AppSentry Validates
Security
ERP, Database, Sensitive Data, Pen Testing
ERP Application and Database Security
Security Auditing Tool

Ensure Compliance Assistance

Compliance
SOX, GDPR, PCI, HIPAA
AppDefend
Protects
Enterprise Application Protection Oracle EBS
for Oracle E-Business Suite & PeopleSoft
Build Security Design Services
and PeopleSoft Security
Auditing, Encryption, DMZ

Integrigy Research Team

ERP Application and Database Security Research
Agenda

1 AppDefend Overview

2 Application Protection and Defense

3 Application SSO and MFA

4 AppDefend Features

5 Q&A
Safe Harbor Statement

The following is intended to outline our general product direction. It

is intended for information purposes only and may not be
incorporated into any contract. It is not a commitment to deliver
any material, code, or functionality, and should not be relied upon
in making purchasing decisions. The development, release, and
timing of any features or functionality described for Integrigy’s
products remains at the sole discretion of Integrigy.
Integrigy’s Products

Security scanner for databases, application servers, and

ERP packages
Performs advanced penetration testing and in-depth security and
AppSentry ▪
controls auditing
▪ Performs over 1,000+ audits and checks on Oracle products
▪ Requires no software to be installed on the target servers

Application firewall and protection system for ERP

packages
Blocks common attacks like SQL injection, session hijacking, cross
AppDefend ▪
site scripting, and Java deserialization
▪ Blocks access to unimplemented application modules and pages
▪ Scans all incoming web requests and outbound responses
Agenda

1 AppDefend Overview

2 Application Protection and Defense

3 Application SSO and MFA

4 AppDefend Features

5 Q&A
Integrigy AppDefend

AppDefend is an enterprise application firewall designed and optimized for

the Oracle E-Business Suite.

Prevents Web Attacks Limits EBS Modules

Detects and reacts to SQL Injection, XSS, More flexibility and capabilities than URL
and known Oracle EBS vulnerabilities with firewall to identify EBS modules
hybrid protection using WAF and RASP

Protects Mobile Applications Protects Web Services

Detects and reacts to attacks against Detects and reacts to attacks against native
Oracle EBS mobile applications Oracle EBS web services (SOA, SOAP, REST)

SSO and two-factor (2FA/MFA) Application Logging

Enables SSO and two-factor authentication Enhanced application logging for compliance
for login, user, responsibility, or function requirements like SOX, GDPR, PCI-DSS 10.2
 AppDefend Oracle E-Business Suite Support

▪ 12.2.x

▪ 12.1.x
Oracle E-Business Suite [1]
▪ 12.0.x

▪ 11.5.10.x (proxy mode)

Supported operating systems [2]

▪ Linux x86 (Oracle Enterprise Linux, Red Hat Enterprise
Linux AS/ES, SuSe)
Operating Systems ▪ Sun SPARC Solaris

▪ HP PA-RISC HP/UX

▪ IBM AIX

[1] For 12.0.x, application server Java version must be upgraded to JDK 1.6. [2] For 11.5.x, OS version must be supported by JDK 1.8.
 AppDefend and Oracle EBS 12.2

Oracle R12 Application Server

Java Server Pages (JSP)

8,000 JSP pages

OA Framework (OA/RF.jsp)
11,600 pages

AppDefend
https
Client Apache
Core Servlets Database
Browser
WebLogic 30 servlet classes APPS

Web Services Servlets

70 servlet classes

Oracle Forms
4,000 forms

▪ AppDefend runs within the WebLogic Java containers as a servlet filter and Java agent that monitors all
incoming requests, out-going responses, and key method calls. Being in the Java container, AppDefend
can access all session state, attributes, error messages, EBS APIs, and the database.
 AppDefend and Oracle EBS 12.0 & 12.1

Oracle R12 Application Server

Java Server Pages (JSP)

8,000 JSP pages

OA Framework (OA/RF.jsp)
11,600 pages

AppDefend
https
Client Apache
Core Servlets Database
Browser
OC4J
30 servlet classes APPS

Web Services Servlets

70 servlet classes

Oracle Forms
4,000 forms

▪ AppDefend runs within the Oracle E-Business Suite OC4J containers as a servlet filter and Java agent
that monitors all incoming requests, out-going responses, and key method calls. Being in the OC4J
container, AppDefend can access all session state, attributes, error messages, APIs, and the database.
 AppDefend and Oracle EBS 11i

Oracle 11i Application Server

Java Server Pages (JSP)

8,000 JSP pages

OA Framework (OA/RF.jsp)
11,600 pages
AppDefend
https
Client Apache
Core Servlets Database
Browser
JServ
30 servlet classes APPS

Web Services Servlets

70 servlet classes

Oracle Forms
4,000 forms

▪ AppDefend runs as a reverse proxy on the Oracle EBS application server intercepting all requests and
responses. AppDefend is able to act as an SSL/TLS termination point due to the vulnerabilities in the
EBS SSL libraries.
AppDefend Features

▪ Dynamic reloading of configuration files – no restarting of the

application server required

▪ Disable AppDefend dynamically and log only mode

Configuration ▪ Parallel configurations to support transition to SSO and MFA

▪ Rules and configuration files use JSON notation

▪ Support for all EBS architectures like shared APPL_TOPs and DMZ
servers

▪ Flexible formatting and destinations

▪ Files with periodic or sized-based rotation, size limits

Logging and Alerting
▪ Syslog with support for major logging platforms (Splunk, ArcSight,
enVision, QRadar, Microsoft Sentinel, AWS CloudWatch, etc.)

▪ Fail open or closed upon internal errors

Resiliency
▪ Fail open or closed upon startup or configuration errors
AppDefend Installation and Updates

▪ One hour installation web sessions included with subscription – 15-minute

install, 45-minute walk-through

▪ Download and install AppDefend binary and rules

Installation ▪ Customization AppDefend base configuration

▪ AutoConfig customization

▪ Restart oacore Java container

▪ New rules and rule updates – quarterly or as needed

Updates ▪ Download and unzip appdefend.zip

▪ AppDefend dynamically reloads rules

▪ New features and non-rule fixes – biannual or as needed

Upgrades ▪ Download and unzip appdefend.zip

▪ Restart oacore Java container

Agenda

1 AppDefend Overview

2 Application Protection and Defense

3 Application SSO and MFA

4 AppDefend Features

5 Q&A
 SQL Injection Explained

Attacker modifies URL with extra SQL

http://<server>/pls/VIS/fnd_gfm.dispatch?p_path=fnd_help.get/U
S/fnd/@search');%20fnd_user_pkg.updateUser('operations',%20'SE
ED',%20'welcome1

Oracle EBS executes appends SQL to the SQL statement being executed
▪ SQL executed as APPS database account
▪ Example changes any application account password

This vulnerability was patched as part of Oracle Security Alert #32

 Cross Site Scripting (XSS) Illustrated

Attacker enters malicious JavaScript into job

A application description field to for example
automatically approve resume

HR Manager opens job application in

B Oracle and script executes in browser

Script calls an Oracle EBS URL in a hidden

C frame to execute some EBS functionality
Cross Site Scripting – Sample Attacks

<script>alert(0)</script>

<img src="x:x" onerror="alert(0)">

<iframe src="javascript:alert(0)">

<object data="javascript:alert(0)">

<isindex type=image src=1 onerror=alert(0)>

<img src=x:alert(alt) onerror=eval(src) alt=0>

with(document)alert(cookie)

eval(document.referrer.slice(10));

(É=[Å=[],µ=!Å+Å][µ[È=-~-~++Å]+({}+Å) [Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])() [µ[Å]+µ[Å+Å]+Ç[È]+ª](Å)

</a onmousemove="alert(1)">

data:text/html,<script>alert(0)</script>

%C0%BCscript%C0%BEalert(1)%C0%BC/script%C0%BE

<ScRIPT x src=//0x.lv?
Cross Site Scripting References

XSS Cheat Sheet

http://ha.ckers.org/xss.html

WSC Script Mapping Project

http://www.webappsec.org/projects/scriptmapping

OWASP XSS Reference

https://www.owasp.org/index.php/Cross-Site_Scripting
Oracle EBS Security Vulnerabilities

Oracle E-Business Suite security vulnerabilities

fixed between
January 2005 and April 2023

1,041
Oracle EBS Web Vulnerabilities Fixed

~150 SQL Injection in web pages

~640 Cross Site Scripting

~90 Authorization/Authentication

~60 Business Logic Issues

~7 Non-EBS Vulnerabilities
 OWASP Top 10 – Oracle E-Business Suite Mapping

Ten top security risks commonly found in

web applications listed by level of risk

A1: Broken Access A2: Cryptographic

A3: Injection A4: Insecure Design
Control Failures

A6: Vulnerable and A7: Identification and A8: Software Design

A5: Security
Outdated Authentication and Data Integrity
Misconfiguration
Components Failures Failures

High Risk
A9: Security Logging A10: Server-side
and Monitoring Request Forgery Medium Risk
Failures (SSRF)
Low Risk

http://www.owasp.org/index.php/Top_10
 WASC Threat Classification
Web Application
Security
Consortium
Attacks
Abuse of Functionality
Brute Force
Buffer Overflow
Content Spoofing
Credential/Session Prediction
Cross-Site Scripting
Cross-Site Request Forgery
Denial of Service
Fingerprinting
Format String
HTTP Response Smuggling
HTTP Response Splitting
HTTP Request Smuggling
HTTP Request Splitting
Integer Overflows
LDAP Injection
Mail Command Injection
http://www.webappsec.org
Comprehensive list of threats to the security of a
web site – attacks and weaknesses
Null Byte Injection Weaknesses
OS Commanding Application Misconfiguration
Path Traversal Directory Indexing
Predictable Resource Location Improper File System Permissions
Remote File Inclusion (RFI) Improper Input Handling
Routing Detour Improper Output Handling
Session Fixation Information Leakage
SOAP Array Abuse Insecure Indexing
SSI Injection Insufficient Anti-automation
SQL Injection Insufficient Authentication
URL Redirector Abuse Insufficient Authorization
XPath Injection Insufficient Password Recovery
XML Attribute Blowup Insufficient Process Validation
XML External Entities Insufficient Session Expiration
XML Entity Expansion Insufficient Transport Layer Protection
XML Injection Server Misconfiguration
XQuery Injection
High Risk * Medium Risk * Low Risk * No Risk
Inherent Risks with Package Software

Structure and vulnerabilities within the application are well known

and documented

▪ An attacker knows exactly what to expect and how the application

is structured

▪ No probing or reconnaissance of the application is required

▪ Fatal attack can be one URL

▪ Allows for easy automated attacks

 Another Layer of Security

Web Application Firewalls (WAF) are specialized firewalls designed to detect and
prevent web application attacks by analyzing the HTTP web requests.

❖ Prevents common web application attacks

Detects and blocks SQL injection, XSS, and known vulnerabilities in widely used web
applications

❖ Often implemented as an appliance

Dedicated appliance used to protect all web applications in an organization

❖ May be required for compliance such as PCI-DSS

PCI-DSS 2.0 requirement 6.6 requires use of a WAF or periodic reviews
 Web Application Firewall (WAF) Shortcomings

❖ Must be heavily customized for Oracle EBS

▪ No out of the box rules for Oracle EBS – no CPU specific rules
▪ Unaware for the unique web application architecture of OA Framework
▪ Rules, application profiles, and learning must be developed, tuned, and tested by you
▪ Oracle EBS is multiple web architectures resulting in additional tuning

❖ Unable to block unused Oracle EBS modules

▪ Due to the complexity of the Oracle naming and design, very difficult to implement blocking
of EBS modules with WAF rules

❖ Significant cost, effort, and skill required to deploy

▪ WAFs are usually an appliance that must be deployed and the learning curve for
configuring and operating an enterprise WAF is steep

❖ AppDefend is complementary with an enterprise WAF solution

▪ AppDefend can be stand-alone or combined with an existing WAF
▪ Multiple layers of defense
▪ Enterprise WAF provides general protection and eliminates “noise”
▪ AppDefend provides Oracle EBS specific layer of protection
 Oracle EBS R12 DMZ Configuration

Oracle Application Server

Java Server Pages (JSP)

8,000 JSP pages

OA Framework (OA/RF.jsp)
11,600 pages

https Apache
Client
Core Servlets Database
Browser
OC4J 30 servlet classes APPS
WebLogic

Web Services Servlets

70 servlet classes

Oracle Forms
4,000 forms

▪ All Oracle E-Business Suite environments include ALL modules (250+) and ALL web pages
(20,000+) even if modules are not installed, licensed, or configured. Many security
vulnerabilities exist in unused modules.
 Oracle EBS R12 DMZ Configuration

Oracle Application Server

Java Server Pages (JSP)

90 8,000 JSP pages

Node
OA Framework (OA/RF.jsp)
Trust
11,600 pages
250 Level
https

URL FIrewall
Client Apache
Database
3
Browser Core Servlets
OC4J 30 servlet classes APPS
WebLog

Web Services Servlets

70 servlet classes

Oracle Forms
4,000 forms

▪ Proper DMZ configuration reduces accessible pages and responsibilities to only those
required for external access. Reducing the application surface area eliminates possible
exploiting of vulnerabilities in non-external modules. (See MOS Note ID 380490.1)
 Oracle EBS 11i Web Components

Non-EBS
Component 11i Version Release Date
Desupport1

Oracle
1.0.2.2.2 Dec 2001 June 2004
Application Server3

Apache3 1.3.19 Feb 2001 Feb 2010

Jserv 1.1.2 June 2000 June 2006

mod_security 1.8.4 July 2004 May 2006

0.9.5a Sept 2000 March 2004

OpenSSL
0.9.8zh2 Dec 2015 Dec 2016

1. Oracle EBS 11i web components are desupported but had support exceptions for 11i environments through January 2016. As of
January 2016, all support for 11i and associated technology stack components has ended.
2. OpenSSL updated from 0.9.5a to 0.9.8zh with July 2015 Critical Patch Update for OAS 1.0.2.2.2.
3. Security vulnerabilities are patched but version is not upgraded.
AppDefend Virtual Patching

Eliminate risk and exploitation of the security bug by blocking

access to the vulnerable code

▪ Integrigy analyzes the Oracle Critical Patch Update (CPU)

▪ Delivers pre-defined rules for CPU web bugs
▪ Rules may be at the page or field level to block known vulnerabilities
 Integrigy Oracle CPU Analysis

For each quarterly Oracle CPU, Integrigy performs an analysis and updates
the AppDefend rule set to include virtual patch rules for all external and
internal web vulnerabilities

Sample from Integrigy CPU Analysis

 Deep Request Inspection
TM

Analyze all user provided input to identify and block malicious input

▪ Intelligent checking of ALL parameters, user input

▪ Uses best practice libraries for XSS and SQL injection detection
– OWASP AntiSamy, Java HTML Sanitizer

– OWASP ESAPI

▪ Malicious input may be detected, blocked, or sanitized

Agenda

1 AppDefend Overview

2 Application Protection and Defense

3 Application SSO and MFA

4 AppDefend Features

5 Q&A
SSO Benefits for Oracle E-Business Suite

▪ Increase employee and IT productivity

– Improve user experience by eliminating multiple application logins
– Better application usability and employee satisfaction by reducing password fatigue

▪ Reduce IT costs
– Fewer support calls for password resets and authentication issues

▪ Improve security
– Reduce risk of password theft due to password fatigue
– Enhance password strength with fewer passwords
– Enables enforcement of stronger and more realistic password policies

▪ Improve compliance
– Single point of user termination across applications
– Simplify user and password management
– Implement additional account controls like risk-based authentication
 Oracle E-Business Suite User Populations – SSO and MFA

AppDefend SSO and MFA can be tailored to specific Oracle EBS user populations and
configured with different SSO and MFA methods for each user population. Mix and match
SSO and MFA even multiple SSO solutions for different groups of internal users.

Typical Options for Typical Options for

SSO/Authentication MFA

(1) with SAML

Internal Users SAML
(2) DUO, RSA, RADIUS, PKI,
(SSO and/or MFA) (AD, Azure AD, Okta, etc.)
and SmartCard

(1) SAML named user

Generic Internal Users SAML named user (2) FND_USER named user
(SYSADMIN, BATCH, JOB, …)
(3) DUO

(1) TOTP
External Users – Suppliers FND_USER
(2) SMS
(iSupplier) (3) Email
(4) no MFA
(1) TOTP
External Users – Candidates/Customers FND_USER
(2) SMS
(iRecruitment/iStore) (3) Email
(4) no MFA
AppDefend SSO Feature (SAML)

▪ AppDefend adds single sign-on (SSO) for Oracle E-Business Suite

– SAML 2.0 support for Oracle EBS as a service provider (SP)
– No additional hardware or servers
– No additional identity management software

▪ Direct integration with SAML 2.0 Identity Providers (IdP)

– Supports any SAML 2.0 IdP such as –
Active Directory On-Premise (ADFS)
Azure AD (Microsoft Azure Active Directory)
Okta
AWS IAM Identity Center
Ping Identity

▪ Multiple Modes
– Oracle E-Business Suite SSO Provider (system profile options)
– AppDefend servlet filter
– Direct SSO to Oracle E-Business Suite
– WebADI and EBS mobile applications are fully supported

▪ Secure Implementation
– Oracle EBS Session cookie set to “host” rather than “domain”
 AppDefend SSO SAML Flow – High-level

Identity User’s Oracle EBS

Provider Browser with
(SAML IdP) AppDefend
(SAMP SP)

1 User accesses Oracle EBS

AppDefend redirects user to Identity Provider for login 2

3 User logins through Identity Provider and is redirected back to Oracle EBS – AppDefend signs user in

SAML SAML
configuration configuration
 AppDefend SSO SAML Flow

Identity User’s AppDefend Oracle EBS

Provider Browser (SAML SP)
(SAML IdP)
1 User accesses any Oracle EBS URL

AppDefend generates SAML request

SAML request redirected to IdP URL 3 and returns to browser with redirect to IdP 2

SAML request is validated by IdP and

4 IdP login page is presented to user

User authenticates to IdP with credentials 5

IdP generates SAML response with username SAML response with username is AppDefend validates SAML response
6 and returns to browser with redirect to SP 7 redirected to SP URL 8 and creates EBS session using EBS API

AppDefend returns to browser EBS session cookie

and redirect to home page or selected page 9

10 Browser accesses Oracle EBS URL with EBS session cookie

SAML IdP/SP SAML SP/IdP

configuration configuration

Load Balancer/
Reverse Proxy Oracle E-Business Suite Application Server (12.0, 12.1, 12.2)
Oracle EBS Java Container
 AppDefend SSO SAML Flow (EBS SSO Configuration)

Identity User’s AppDefend Oracle EBS

Provider Browser (SAML SP)
(SAML IdP)
1 User accesses any Oracle EBS URL

EBS redirects to
specified SSO URL 2

3 User accesses any Oracle EBS URL

AppDefend generates SAML request

SAML request redirected to IdP URL 5 and returns to browser with redirect to IdP 4

SAML request is validated by IdP and

6 IdP login page is presented to user

User authenticates to IdP with credentials 7

IdP generates SAML response with username SAML response with username is AppDefend validates SAML response
8 and returns to browser with redirect to SP 9 redirected to SP URL 10 and creates EBS session using EBS API

AppDefend returns to browser EBS session cookie

and redirect to home page or selected page 11

12 Browser accesses Oracle EBS URL with EBS session cookie

SAML IdP/SP SAML SP/IdP

configuration configuration

Load Balancer/
Reverse Proxy Oracle E-Business Suite Application Server (12.0, 12.1, 12.2)
Oracle EBS Java Container
 AppDefend SSO SAML Flow (SSO Homepage)

Identity User’s AppDefend Oracle EBS

Provider Browser (SAML SP)
(SAML IdP)

User authenticates to IdP with credentials 1

User presented with a list of

2 available SSO applications

User selects Oracle EBS to access 3

IdP generates SAML response with username SAML response with username is AppDefend validates SAML response
4 and returns to browser with redirect to SP 5 redirected to SP URL 6 and creates EBS session using EBS API

AppDefend returns to browser EBS session cookie

and redirect to home page or selected page 7

8 Browser accesses Oracle EBS URL with EBS session cookie

SAML IdP/SP SAML SP/IdP

configuration configuration

Load Balancer/
Reverse Proxy Oracle E-Business Suite Application Server (12.0, 12.1, 12.2)
Oracle EBS Java Container
 AppDefend SSO SAML Security
9 10
▪ AppDefend sets the Oracle EBS session
cookie scope to host to prevent session
hijacking
▪ All other Oracle EBS SSO solutions require
session cookie scope to be set to domain
which allows for potential session hijacking
attacks
▪ AppDefend can maintain a mapping of EBS
session cookies to IP address in order to
prevent session hijacking attacks
1
▪ AppDefend protects access to all Oracle EBS
URLs
▪ Must be authenticated to access any URLs
except specific pages such as iStore or
iSupplier registration
2
▪ SAML request is signed (SHA-512 if supported
by IdP) and encrypted (AES-256) using IdP
public key
▪ SAML request should be communicated using
TLS 1.2 or 1.3 based on your configuration
6
▪ SAML response is signed (SHA-512 if
supported by IdP) and encrypted (AES-256)
using AppDefend public key
▪ AppDefend validates the integrity of the
SAML response by decrypting using the
AppDefend private key and verifying the
signature against the IdP public key
▪ AppDefend prevents XML entity and schema
attacks and by blocking entity tags and
whitelisting schemas
▪ SAML replay attacks are prevented with a
narrow expiration window, matching SAML
request id for request and response as well
as to JSESSIONID, and blocking already
accepted assertions
AppDefend SSO SAML User Mapping

AppDefend can map Identity Provider user to Oracle E-Business Suite user using different
attributes or values from both the Identity Provider and Oracle E-Business Suite. Multiple
match rules can be defined and evaluated per login.

Identity Provider (IdP) Oracle E-Business Suite

SAML nameId username

SAML attributes email address
▪ username employee id
▪ email address Match custom database query
▪ employee id
▪ custom attribute Transformations
(e.g., {first|slice(0,1)}{last})
Expression mapping
(e.g., {first}.{last}@integrigy.com)
MFA Benefits

▪ Prevent fraud and phishing attacks

– Two or more methods of identity verification makes account take-over harder

▪ Improve security
– Enable strong authentication
– Reduce risk of compromised passwords

▪ Improve compliance
– PCI-DSS requires MFA required for access in some situations
– GDPR, HIPAA, and other standards require strong authentication

▪ Contextualize authentication
– MFA can be when specific data is accessed or actions performed like employee self-service direct
deposit changes
 AppDefend Adaptive Multi-Factor Authentication

AppDefend enables adaptive multi-factor authentication (MFA/2FA) for Oracle

EBS using DUO Security, TOTP, SMS, email, or PKI (smartcards).

Oracle EBS MFA Page

Login “Send Me a Logged in
Success Success
Page Push”

Failed

▪ Multi-Factor Authentication ▪ Per Page, Responsibility, Function

Enhances Oracle EBS login security by Require 2FA when user selects
integrating with 2FA to provide secondary or accesses specific pages, responsibilities, or
authentication functions through menus or directly
AppDefend Two-Factor Authentication

▪ Application-aware
– 2FA for login, user, responsibility, function, or page
– Multiple 2FA authentications can be configured for different use cases and controls

▪ Context-aware
– 2FA may be triggered based on session context such as time, location, device, etc.

▪ Single 2FA request per application session

– 2FA authentications only when required

▪ Enhanced logging and audit trail for all authentications

▪ Supports local EBS authentication or single-signon

▪ No additional hardware or single point of failure

Two-Factor Authentication Use Cases

▪ Entire Application
– Require 2FA when logging into Oracle EBS

▪ Privileged Responsibilities
– Require 2FA when user accesses specific responsibilities like System Administrator
– Protect highly privileged responsibilities from malicious use

▪ Privileged Users
– Require 2FA when highly privileged users like SYSADMIN login
– Preventative control for privileged, generic users accounts for SOX compliance
– Limit access to generic user accounts by 2FA devices
– Audit trail of named users accessing generic user accounts

▪ High Risk Functions or Pages

– Require 2FA when user access specific functions or pages
– Prevent fraud by requiring 2FA when user accesses self-service HR bank accounts
AppDefend MFA

AppDefend provides contextual multi-factor authentication for logins (SSO

and non-SSO users, responsibilities, pages, and/or functions. MFA options are
Duo Security, TOTP, SMS, and PKI (smartcards).

Contextual Multi-factor Authentication

SSO Non-SSO
Responsibility Page/Function
User Login User Login

AppDefend MFA
(with or without SSO SAML) ✓ ✓ ✓ ✓

AppDefend SSO SAML

with IdP MFA ✓

Legacy Oracle EBS SSO

(such as OID/OAM or Oracle IDCS) ✓
AppDefend Generic Account Protection

AppDefend MFA can be used to protect Oracle E-Business Suite privileged, generic accounts
(GA), such as SYSADMIN. Multiple options to protect generic accounts and a different option
may be used for each generic account.

Generic Account MFA Options MFA Flow

1. SSO Named User EBS login IdP login page

Logged into
EBS as GA if
profile option and/or authorized user list as GA for named user
user allowed

Logged into
2. FND_USER Named User EBS login Login page for
EBS as GA if
profile option and/or authorized user list as GA named user
user allowed

2FA using
3. MFA Solution such as DUO EBS login
assigned 2FA
Logged into
as GA EBS as GA
authorized in MFA solution for GA

4. Identity Provider (IdP) Direct IdP User’s App Click GA Logged into
authorized in IdP to access GA Homepage assigned Tile EBS as GA
AppDefend Generic Account Protection Example Scenarios

A client with about 30 generic accounts used for various purposes configured AppDefend MFA
to protect the generic accounts. Scenarios for one generic account to many named users, many
generic accounts to one named user, and many generic accounts to many named users can all
be easily configured and maintained. All logins including named user are monitored and logged.

Type of Generic Account Generic Accounts MFA and AppDefend Configuration

▪ Tile in IdP
▪ Assigned by IdP group
SYSADMIN SYSADMIN
▪ Tightly controlled, limited to DBAs
▪ SYSADMIN password not known by DBAs

▪ One AppDefend rule for all 10 accounts

10 accounts, one per ▪ Access controlled using both an authorized user list
Job Scheduling module, such as GL_JOB (DBAs) and profile option set per named user
(operations team)

▪ One AppDefend rule for all 12 accounts

12 accounts, one per ▪ Access only allowed if AppDefend EBS maintenance
Maintenance/Setups module, such as feature is enabled
GL_SETUP ▪ Access controlled using profile option set per named
user

▪ An AppDefend rule for each of the 6 accounts

▪ Access controlled using profile option set per named
6 accounts, such as user and DBA team sets prior to testing as testers will
Upgrade/Patch Test TEST1 change based on the patches applied
▪ AppDefend logging enabled for these accounts to
capture all activity
Agenda

1 AppDefend Overview

2 Application Protection and Defense

3 Application SSO and MFA

4 AppDefend Features

5 Q&A
 Application Logging and Auditing

Log and audit key application and security events beyond Oracle EBS
current capabilities

▪ Any page, action, parameter, session attribute may be logged or audited

▪ PCI logging includes all sessions, responsibilities, and potentially card number
access through the application

▪ Log data can be sent to external systems such as Splunk, ElasticSearch, ArcSight,
QRadar, LogRhythm, Microsoft Sentinel, AWS CloudWatch, …

▪ Solves gaps in Oracle EBS logging such as IP address for failed logins
AppDefend Processing

Updates Exceeded
Thresholds

Match

Rules
Match
Request &
path inclusion Actions
Response
arguments
operators

No Match
Log file
Syslog
E-mail
Database
Next
Rule
AppDefend Permit Rule

Oracle Application Server

Java Server Pages (JSP) JSPs filtered by
8,000 JSP pages module rules

OA Framework (OA/RF.jsp) OAF pages filtering

(sql injection, xss, …)

11,600 pages based on functions

AppDefend
https
Client Apache
Browser Core Servlets Servlets filtered by Database
OC4J
30 servlet classes
APPS
module rules

Web services filtered

Web Services Servlets
based on service
70 servlet classes
names

Oracle Forms
Oracle Forms
blocked for external
4,000 forms
access

AppDefend allows access to only permitted Oracle EBS modules based on a group of white-listed
modules. Individual files may be permitted also. Web page and OA Framework customizations are
supported.
 AppDefend Arguments

AppDefend rules and alerts may use one or more of these arguments.

ebs.function_id request.header.<name> request.remote_addr

ebs.function_id_all request.headers.names request.remote_host

ebs.function_name request.is_secure request.remote_port

ebs.resp_id request.line request.remote_user

ebs.resp_name request.local_addr request.scheme

ebs.user_id request.local_port request.server_name

ebs.user_name request.method request.server_port

ebs.user_signon_name request.parameter.<name> request.servlet_path

request.attribute.<name> request.parameters.combined_size request.servletcontext.<name>

request.attributes.names request.parameters.get_names request.session_id

request.auth_type request.parameters.get_values request.uri

request.body_length request.parameters.names request.url

request.character_encoding request.parameters.put_names response.content

request.content_length request.parameters.put_values response.content_length

request.context_path request.parameters.values response.header.<name>

request.cookie.<name> request.path_info response.header.names

request.cookies.names request.path_translated session.attribute.<name>

request.file_extension request.protocol session.attributes.names

request.file_name request.query_string
AppDefend Operators

AppDefend rules can use any of these operators.

beginswith inlist

byterange notinlist

contains ipmatch

notcontains notipmatch

endswith less

equals lesseq

exists regex

greater within

greatereq notwithin

ingroup

notingroup
AppDefend Actions

Log Generates a log entry or alert to a file, syslog, e-mail

Redirects the request to a specified full URL or relative URL for the site such as
Redirect the Oracle EBS error page

Block the request by returning the specified HTTP error code such as 403
Block Forbidden

Pause the request for the specified number of milliseconds perhaps to slow
Pause down a brute force attack

Sanitize one or all parameters and headers in the request to prevent XSS,
Sanitize HTML injection, or SQL injection

Stop the processing of all subsequent AppDefend rules. The Stop action is
Stop useful to minimize AppDefend analyzing static request such as images, etc.

DoNothing This action will do nothing as an action

Agenda

1 AppDefend Overview

2 Application Protection and Defense

3 Application SSO and MFA

4 AppDefend Features

5 Q&A
Integrigy Contact Information

web – www.integrigy.com

e-mail – info@integrigy.com
Integrigy Corporation
blog – integrigy.com/oracle-security-blog

youtube – youtube.com/integrigy

Copyright © 2023 Integrigy Corporation